The present invention relates to a storage system sharing method in an information processing system, and in particular, to a method, for use in a computer system in which a storage system is interconnected with a plurality of computers via Fibre Channel or the like, of sharing the storage system according to access control.
When data is communicated between a plurality of host computers (hosts) by sharing the data or by transferring files, a network interface such as xe2x80x9cEthernetxe2x80x9d is used in general. On the other hand, there may be used a storage system which can be accessed by a plurality of hosts.
For example, it can be considered that data is communicated between a plurality of hosts such that a file created by a mainframe host among the hosts is accessed by a computer in an open system (an open host) such as UNIX. Specifically, there exists a method in which by using a storage system including a plurality of interfaces for connections to both of a mainframe host and an open host, a plurality of hosts directly access the storage system to resultantly share data therebetween. JP-A-09-258908 describes this method.
On the other hand, there exists a technique in which a storage area network (SAN) is configured by connecting a plurality of hosts and a plurality of storage systems to each other via a Fibre Channel capable of transferring data at a high speed.
Any host constituting the SAN can access any storage system in the SAN. Therefore, a plurality of hosts can easily share any storage system without using the storage system including a plurality of interfaces described in JP-A-09-258908.
However, since all hosts in the SAN can freely access the storage systems in the SAN, there arises a problem that security is not guaranteed when a host in the SAN accesses an associated storage system in the SAN.
To solve the problem, there has been devised a method of guaranteeing security when a host in the SAN accesses a storage system thereof.
In a concrete method, an identifier of each host which is allowed to access a storage system or a logical unit (LU) in the storage system is registered to the storage system in advance. When a host accesses a storage system, the storage system refers to the registered identifiers to determine that the access is granted or rejected. JP-A-10-333839 describes the technique.
By the prior art, it is possible to impose restrictions on the access from each host to the logical units. However, in an actual computer system, it is required depending on cases that the access is restricted at a finer level, for example, a file level. For example, there is required restriction that only particular users can access a certain file. In this case, the access restriction at the logical unit level described in JP-A-10-333839 cannot restrict the access at the required file level.
It is therefore the object of the present invention to provide an access restriction method at a finer and securer level in a data sharing method using a storage system in an SAN environment.
Description will be given of a system of the present invention to attain the object. A computer system of the present invention includes a plurality of host computers and a storage system. The storage system includes at least one disk (device) and is connected to each host computer via a Fibre Channel switch.
In the computer system of the present invention, the storage system rejects access from each host computer in principle. A host computer which desires to access the storage system sets a request to the storage system that the storage system allows the access. The setting for access allowance/rejection can be conducted for each desired area of the disks. In the computer system, one of the host computers includes a unit to indicate the setting/release of access allowance for the storage system. When a host computer desires to access data in the storage system, the host computer sends a request of access allowance setting to the pertinent host computer including the unit. When the pertinent host computer issues an indication to the storage system, the storage system conducts certification using a password. The indicating host computer including the unit indicates the storage system to allow the access to a pertinent area on the disk so that the computer having issued the access request accesses data on the disk. Thereafter, the computer having issued the request accesses the data on the disk. When the access is completed, the computer requests the indicating computer to release the setting of access allowance. The indicating computer indicates the storage system to release the access allowance setting for the area. The storage system accordingly releases the setting of access allowance for the area.